International Journal of Network Security, Vol.8, No.3, PP.235–242, May 2009 235 An Anonymous Sealed-bid Electronic Auction Based on Ring Signature Hu Xiong, Zhiguang Qin, and Fagen Li (Corresponding author: Hu Xiong) School of Computer Science and Engineering, University of Electronic Science and Technology of China No.4, Section 2, North Jianshe Road, Chengdu, 610054, China (Email: xionghu.uestc@gmail.com) (Received Oct. 08, 2007; revised Mar. 28, 2008; and accepted May 30, 2008) Abstract Privacy and anonymity have become two factors of in- creasing importance in auction protocol. This paper pro- vides an efficient sealed-bid electronic auction protocol based on the technique of ring signature and verifiable technique of encryption key chain. The peculiar charac- teristics of our protocol are non-repudiation of bidders but preserving their anonymity and allowing the auctioneer to determine the wining bid without revealing the losing bid. Our protocol has additional characteristics such as public verifiability, unforgeability, correctness and fairness. Keywords: Anonymity, encryption key chain, non- repudiation, privacy, ring signature, sealed-bid auction 1 Introduction 1.1 Backgrounds Electronic auctions are fundamental parts of the elec- tronic commerce technology. They are not only widespread mechanisms selling goods, but have also been shown applicable to task assignment, scheduling, or find- ing the shortest path in a network with selfish nodes [2]. To date, many researchers have studied and pub- lished various outstanding auction protocols [1, 2, 6, 16]. As there are a variety of auction styles such as English, Dutch, Sealed-bid, Vickery, and M+1, etc., whose rules are quite different, each protocol has distinctive goals and decision strategies depending on its own style. Our target among the auction styles is to design an efficient Sealed- bid auction in which a bidder commits his bid with which he is willing to pay on the items without disclosing of the bidding price then, after the bidding session, the auction- eer opens the received bids and declares the highest bid as the winning price and the winner who sent the highest bid. 1.2 Related works From the previous researches, we have figured out there exist two problems which can deteriorate the security of the auction. One is to identify the winner explicitly by the auc- tioneer alone. Otherwise, the winner can repudiate his bidding since he feels the winning price is too high to buy the items even if he cast at the winning price. In addition, a bidder can conspire with other bidders to decrease the winning price by not engaging in the winner identifica- tion. So the auctioneer must have the ability to authen- ticate real or equivalent identity of the winner without its assistance. Reference [16]treated non-repudiation as a mandatory requirement. But it does not meet anonymity so that these protocols raise privacy problem. In other references [1, 6, 8], they seemed to be anonymous in that only the indices of the winner are revealed to the auc- tioneer at the end of protocol. However, inevitably the auctioneer must perform supplementary communications with the winner, namely who is placed in the winning in- dices, to confirm the fact that he committed the winning bid. The other problem is the bid privacy, which is a fre- quently desired characteristic in auction schemes. It refers to the confidentiality of losing bids even after the auction ended. The privacy issues of the sealed-bid auction proto- col are listed in Table 1 for comparison [14, 19]. Franklin and Reiter [5] were among the first researchers to address electronic auction with bid privacy. They covered many problems such as secret sharing, digital cash and multi- casts as well as their own primitive technique called ver- ifiable signature sharing. Their protocol successfully pre- vents a single auctioneer from altering a bid or throwing an auction to a single bidder. Unfortunately, their pro- tocol also results in disclosing all bids to all auctioneers after the auction is closed. Kikuchi et al. [7] attempted to deal with such problems through secret sharing tech- niques, but Sako [12] pointed out that several problems still remain in their work. Felix [2] proposed a security model in which bidders themselves jointly compute the auction outcome so that any subset of bidders is incapable